It Seems like Search crawl account needs to be given read permissions in all user accounts and groups.

The MSDN KB article has all Technical reason why

How do you give these permissions to crawl account, as below

The Windows Authorization Access Group (WAA group) has read permissions to the TGGAU attribute of all user accounts and groups.So,if you add the SharePoint Services service accounts to the WAA group,the SharePoint Services service account has read permissions to the TGGAU attribute of the user accounts.

To add the SharePoint Services service account to the WAA group, follow these steps:

On the domain controller, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

In the Active Directory Users and Computers window, expand DomainName, and then click Users or another appropriate organization unit (OU).

Double-click the SharePoint Services service account you want to modify.

In the Properties dialog box, click the Member Of tab.

On the Member Of tab, click Add.

In the Select Groups dialog box, type Windows Authorization Access Group under Enter the object names to select, and then click OK.

At a client recently, I was tasked to create an inventory of all the Active Directory Groups that give access to a SharePoint site! I built it mostly from scratch, so here it is as well as some explanations to help you use it:

Ensure the item is a domain group

First of all, change the $logfile variable to a folder that exists to make sure the logs work.

Second, in the Central Administration, give yourself “Full Control” in the Web Application User Policy. This will make sure that you won’t have any access denied when you go through each and every site collection in your farm.

Afterwards, open SharePoint Management Shell as an Administrator, and run the script. Depending of the size of you farm, it shouldn’t take too long, and you should see progress of every site being scanned on the screen. At the end, you will have a text file looking like this:

PowerShell

You will notice in the screenshot that some group names are repeated, as well as some of them are in capital and some of them are lowercase.

So, I used NotePad++ to get all the unique group names!

First of all, go in Edit > Convert Case to > Upercase!

You will notice in the screenshot that some group names are repeated, as well as some of them are in capital and some of them are lowercase.

get all the Active Directory groups in your SharePoint Farm

To get unique lines, you will need the TextFX plugin. This used to be included in older versions of Notepad++, but if you have a newer version, you can add it from the menu by going to Plugins -> Plugin Manager -> Show Plugin Manager -> Available tab -> TextFX -> Install. In some cases it may also be called TextFX Characters, but this is the same thing.

After the plugin is installed, go in TestFX Tools and check the “sort ascending” and “sort outputs only UNIQUE” lines. Afterwards, click the “Sort lines case insensitive at column”. (make sure that you do Ctrl+a in the file to select all the lines before clicking).

get all the Active Directory groups in your SharePoint Farm

Now, your Notepad++ will only show the unique group names in your SharePoint Farm!